- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Fetch the details
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to create a dashboard to understand the usage of our application version something like shown below
| Application Name | Version |
| sgs | 1.0.18 |
When we search for particular index ""sgs1.0.18*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" we get below result.
<< uri="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", SERVICE_PREFIX="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", path="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", resourceMethod="get", HTTP_METHOD="get", resourceUri="api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106"
Could you please help us to give sample splunk query to achieve the results .
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello - I was able to fine the way with rename
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version | fields "app", "date_mday", "userId", "version" | rename "date_mday" AS "Date"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gcusello ,
Sorry to come back , is there any way to change the table label.
example of my search:
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version
can my table looks like below
| app | version | userid | Date ( rather than date_mday) |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this line to the end of the query
| rename date_mday as Date- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @svodela,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @svodela,
if you're sure that you applications haven't numbers in their name and that version is always in the format "nn.nn.nn", you could use a regex like the following to extract apps and versions and run a search like the following:
<your_search>
| rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)"
| table app versionyou can check the regex at https://regex101.com/r/FNieNJ/1
Ciao.
Giuseppe
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
